Summary
The AWS CodeStar service had an undocumented API (codestar:CreateProjectFromTemplate) that allowed
users with broadly-scoped CodeStar permissions to create a CodeStar project. As part of the creation
process, AWS would create a new CodeStarWorker IAM policy & attach it to the user making the call.
This policy granted full access to over 50 AWS services, including iam:AttachRolePolicy, iam:AttachUserPolicy and iam:PutRolePolicy permissions,
which would allow the user to escalate to full administrator access. Following disclosure, AWS removed
the majority of access granted by the CodeStarWorker policy, but this is still a viable escalation path if
there are other misconfigurations in the environment.
Affected Services
Codestar
Remediation
If not using the CodeStar service, ensure that the “aws-codestar-service-role” is removed from all your accounts.
Apply principle of least privilege to all CodeStar-related resources to ensure the codestar:CreateProjectFromTemplate
permission is only granted when absolutely necessary. Implement monitoring on any users with access to the
codestar:CreateProject and iam:PassRole actions to detect potential escalation attempts.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/blakedunson
Disclosure Date
Tue, Mar 19th, 2019
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Spencer Gietzen, Rhino Security Labs
